1. The use of cookies and the processing of personal data on our website
Why do we show you a cookie banner to start with when you visit our website (“consent manager”)?
The processing of your data on our website is in many cases only possible with your consent. Based on the case law of the ECJ and the Federal Supreme Court (BGH) in the “Planet49” case, for processes requiring consent we differentiate between the storage of cookies and the use of similar technologies on your terminal device (corresponds to the processing purpose “storing and/or retrieving information on a device”) and the further processing of your personal data (see all other processing purposes).
We request your consent via a consent manager, which opens directly when you access our website. With the consent manager, we offer you the possibility to decide for yourself how your personal data should be processed when you visit our website.
The first page of our consent manager allows you to get an overview of the processing purposes which you can give us your consent for. For more detailed information on the individual processing purposes, you can open the second page of our consent manager using the “Manage Settings” button. Here you’ll find out more about the purposes of the processing and all the service providers we currently use on our website. In addition, we would like to refer you to our general data protection declaration. Here you will find further information on the data processing procedures within the framework of our website as well as on your rights on the basis of the respective data processing.
What legal basis are cookies set on?
As a rule, we only use cookies on the basis of your consent.
However, certain data processing operations are absolutely necessary to ensure the proper operation of a website. This may include the setting of cookies in exceptional cases. Processing that is absolutely necessary enables, for example, the readability of our offers or guarantees the security of our website. In addition, the use of cookies may be required for the purpose of contract fulfilment, for example to carry out the log-in within a member area. In both cases, we set cookies without asking for your consent. We cannot offer an option to object to these (technically) necessary cookies. However, you can deactivate the cookies required for this in your browser settings.
Is consent required for all data processing on a website that is not absolutely necessary?
No. The known decisions of the ECJ and the Federal Supreme Court on “Planet49” relate to cookies, specifically the storage of information on a user’s terminal devices. If no information is stored on a terminal device or if downstream processing of personal data is carried out, these processing operations can be based on all the legal bases specified in Art. 6 para. 1 GDPR. The prerequisite for this is, of course, that the respective requirements of the standard are met. For this reason, in addition to the above-mentioned possibilities, we also base the processing of personal data on our overriding legitimate interest. Our legitimate interests include, for example, business interests as well as the improvement of our online offer.
You can regularly object to the data processing operations that we carry out on the basis of our overriding legitimate interest, either individually or as a whole, by following the buttons provided. However, it is not possible to object to processing that is absolutely necessary.
Data processing also takes place on the website if consent is not given. Doesn't this cookie practice undermine the GDPR or the ePrivacy Directive, which explicitly requires an opt-in for tracking?
No. We differentiate between the GDPR and the ePrivacy Directive or its national implementation (§§ 11 ff. of the German Telemedia Act (TMG)). Absolutely necessary cookies can also be set without consent. Data processing that does not consist of setting cookies can be based on all legal grounds mentioned in Art. 6 para. 1 GDPR if the respective prerequisites are met. For this, please refer to the previous question “Is consent required for all data processing on a website that is not absolutely necessary?”
How can I - as far as possible - prevent the processing activities and the setting of cookies that require consent?
You can decide to what extent processing operations requiring consent are carried out within the framework of our website. For this, you can use the consent manager, which is displayed at the start of your visit to the website. Within the consent manager, you can decide which processing operations you wish to consent to and which are out of the question for you. Please note that some of the features of our website can only be provided on the basis of your consent. For example, the integration of social media channels such as YouTube or Instagram depends on your consent (as these are provided by a third-party service).
Is the processing of personal data and the setting of cookies generally prevented by the consent manager?
Processing operations requiring your consent will only take place or cookies will only be set for the purposes of personalised marketing if you give your consent. As long as consent has not been given, processing operations that require consent are technically prevented by the consent manager.
However, the consent manager does not prevent cookies that are absolutely necessary or processing that does not require consent, e.g. based on the legal basis of overriding legitimate interest (Art. 6 para. 1 lit. f) GDPR).
You do not need to make any further settings if you do not wish processing requiring consent to take place. In particular, it is not necessary that you deactivate all partners individually. If - having not given your consent - processing still takes place on the website that can be seen in relevant tools (e.g. Ghostery), then no cookie will be set for this (with the exception of the absolutely necessary cookies).
Step 2:
On the second page of the consent manager, do not click on any of the options (i.e. leave it on the “Default” setting). In this way, all processing operations requiring consent are “deselected at once”. This means you have not given your consent. Then confirm this selection with “Save and Exit”.
(If appl.) Step 3:
If you also wish to object to data processing on the legal basis of overriding legitimate interest (where possible), click on “Manage Settings” and then on “Deny All”.
Please note that you need to repeat these settings for each terminal device. Since - in the interests of data protection - we do not link your terminal devices or your cookie IDs with your name and email address, we are unfortunately unable to carry out the technical settings for you.
2. The design of our consent manager
Many consent managers look the same - the selection menu seems to be standardised across companies. Why is that and what advantages does it have for me?
Although website operators often use different consent managers, these are usually based on the so-called Transparency and Consent Framework (“TCF”) standard of the Interactive Advertising Bureau (“IAB”). The TCF standard is intended to enable website operators to interact with partners, e.g. for advertising marketing, by means of standardised, user-friendly and transparent procedures. This standard was designed with data protection experts throughout Europe and is intended to guarantee legally compliant implementation of statutory requirements. If consent is required for the processing of personal data, for example, this procedure is used to transmit the consent to the partner (so-called “signal transmission”). Under the TCF, the partner undertakes, among other things, to read out the transmitted signals correctly and in compliance with data protection. Further information on this can be found at: https://iabeurope.eu/transparency-consent-framework/
Why is the button in the cookie settings “Accept All” coloured with most publishers, whereas the button “Save and Exit” is not highlighted?
Various designs have become established on the market that are intended to meet the interests of both the data protection controllers and the users. For example, there are users who feel bothered by consent managers. They should be able to give consent at the first level of a consent banner. Others would like to be able to choose between different purposes or confirm their choice that no processing operations requiring consent will take place or cookies set. The consent managers meet these different requirements and expectations, but also especially underline the requirement of the GDPR that consent managers should not unnecessarily interrupt digital content (see recital 32 sentence 6 GDPR). This can be guaranteed by means of an appropriate design.
The GDPR does not regulate the design of the “buttons”. In contrast, the IAB standard requires in its data protection guidelines that there must be equal weighting, which can be fulfilled by using equal font sizes and weights and by having a minimum contrast ratio of 5:1. If companies do not comply with this requirement, they risk a warning and possibly suspension by the IAB.
Why is data processing on the basis of “legitimate interests” pre-set?
Processing based on overriding legitimate interests is carried out independently of consent given for other processing and until the user objects. This can be done under “Settings” for all processing operations at the same time (“Deny all”), or individually.
Important:
Numerous service providers can be found several times within the consent manager. The reason for this is that processing operations within the consent manager are divided into categories, or processing purposes. It is possible, for example, that one service provider is deployed for several processing purposes. For example, a service provider can set a cookie to create usage profiles for advertising or market research purposes because it wants to display personalised advertising on an advertising space on the website. In addition, the service provider can also be deployed for the purpose of measuring the frequency with which an advertisement is shown. In this example case, the service provider would be seen in three categories:
- “Store and/or access information on a device”: This category implements the ePrivacy Directive and the requirements of the Federal Court of Justice concerning “Planet49” by obtaining consent for the setting of certain cookies.
- “Selection of simple displays”: Among other things, this category enables so-called “frequency capping” (this has the effect, e.g., that an advertisement for a health insurance policy is only shown once, not repeatedly in succession.). The basis for this processing is the overriding legitimate interest.
- “Personalised advertisements and content”: We only carry out personalised advertising, which is made possible by this category, with the consent of the user.
In some cases, it may therefore happen that service providers are not deployed, although the respective processing purpose is based on the overriding legitimate interest. For example, there is no so-called “frequency capping” (on the basis of overriding legitimate interests) if the underlying processing requires consent.
However, a service provider can also be deployed directly and detected (by the relevant tools). This is the case if no cookie is set for the specific processing or this processing does not directly serve advertising or market research purposes. This also applies if the setting of a cookie is absolutely necessary.
Why can I see cookies although I have not yet consented to them?
As already explained, certain (technically necessary) cookies are also set without your consent. However, if no consent has been given, only cookies which are absolutely necessary will be set. On the basis of these cookies, only those processing operations are carried out that are based on an overriding legitimate interest or on a contractual basis. The service providers that set cookies on our website are subject to review by the IAB in accordance with the TCF. We also check at regular intervals whether service providers are behaving in a legally compliant manner when using cookies or other processing operations.
If you notice any particular processing, feel free to let us know - it is possible that what you see is not a cookie. Or what you see does not actively process data without your consent. This is the case, for example, with so-called “tag managers”. “Tag managers” are absolutely necessary, as the integration of “social media content” using the so-called two-click solution would not be possible without such “tag managers”.
Some companies have more than 100 trackers deployed on their sites - why?
We market the majority of the advertising spaces on our website through what is known as programmatic sales. Programmatic sales means that we award advertising spaces to the highest bidders from a certain group of participants in the context of an auction. We finance our journalistic offer in this way and are able to make parts of our website freely available to the public, i.e. without payment in return.
This form of marketing has the effect that a large number of bidders bid for an advertising space and that consequently several bidders are admitted to the bidding procedure (i.e. in the programmatic sale). To make consent as clear and transparent as possible, we name all these bidders in the consent manager.
Our service providers have undertaken to observe the above TCF standard and thus to act in compliance with data protection. Nevertheless, we have not included all service providers committed to the TCF standard - currently more than 600 - on our website, but have made a selection here. So if we “allow” more than 100 so-called “vendors”, they are never represented in our digital offers at the same time.
Why do I see such a long list under the “Vendors” tab? Do all these service providers always track?
No. Within the “Vendors” you can see all service providers we potentially work with. This is a summary of all possible partners - regardless of the legal basis. Here you can see service providers that are partly pre-set, partly deactivated and partly “centrally” positioned. Service providers that are set to “ON” are permitted to process your data based on your settings.
This processing takes place either because you have consented to the processing or because you have not objected to processing on the basis of legitimate interests. Service providers that are set to “OFF” do not process your data. Service providers that are set to “central” process data for several purposes with different legal bases. In these cases, a number of purposes are permitted by pre-selection (e.g. on the basis of our overriding legitimate interest), while others are not (e.g. for personalised marketing requiring consent).
Why so many trackers? That’s crazy!
Not all partners which are listed under “Service providers” and set to “ON” actually receive and process your personal data. This is above all due to the programmatic marketing of our website (more information on the term programmatic sales can be found under the question “Some companies have more than 100 trackers deployed on their sites - why?”).
How many and which of the service providers listed in the consent manager can be deployed in your case depends on various factors, e.g.:
- the bookings of our advertising customers,
- which pages and sub-pages, including channels, integrations and insertions of the integrated service providers and their partners or sub-partners you visit,
- how long you stay on our site, in particular how many of our advertising spaces you have visited.
Nevertheless, we show you all the service providers in the consent manager. This is customary for all websites that are marketed programmatically.
The reason for this is that we cannot predict your surfing behaviour and the bookings of our advertising customers in the tenth of a second in which the programmatic sale of advertising space on our website occurs.
What data do all these partners receive?
Depending on your individual selection within the consent manager, we and our partners especially process your personal data in pseudonymised form. This processing also includes information about your terminal device and other technical identifiers.
In some cases, we need this data simply to design our articles or advertisements for the format of your terminal device (e.g. a mobile device formats differently to a laptop). In other cases, the processing controls the frequency of advertisements and thus prevents you from being shown the same advertisement too many times in succession on one day. Advertising customers often also want to measure the reach of their advertisement, as this forms the basis of the payment to us.
Publishers especially finance themselves through advertising. Therefore, we have to account for the fact that advertising is now becoming personalised (i.e. relevant to the individual user). This means that our service providers use your data to show you particularly relevant advertising (sports jerseys for sports fans, nail polish for readers of the fashion section, etc.). For this purpose, some service providers create user profiles (with the aid of so-called cookie IDs) on your surfing behaviour and combine the information collected on different websites. We also only use such service providers on the basis of your consent.
On our website, neither your name nor your e-mail or postal address is collected by advertising service providers. We do not work with “browser fingerprints”.
Why do I keep seeing the consent manager again? Please accept my settings instead of constantly asking for them again and again.
The consent solution we have used since 2020 is based on the initiative of the IAB (for more information on the IAB, see the question “Many consent managers look the same - the selection menu seems to be standardised across companies. Why is that and what advantages does it have for me?”).
Due to the developments in legislation and case law as well as technical requirements, we are forced to use consent managers. We are aware that these requirements do not necessarily contribute to better usability and readability of the websites. However, our consent manager is designed so that you only need to make your settings once. The next time you visit the same page with the same terminal device, your settings are saved for a certain period of time.
If you see the consent manager again before the end of this period, this may be for the following reasons:
- You are using a different terminal device or visiting a different website: Please note that you need to repeat your settings for each terminal device and each website. Also if you use several websites of the same group. Since - in the interests of data protection - we do not link your terminal devices or your cookie IDs with your name and email address, nor use your settings on different sites, we cannot relieve you of the extra effort. We also cannot have the technical settings carried out for you via customer service. If you send us an objection to processing under your name, it is also not possible for us to fulfil your request. In order to process your request in these cases, we would have to store considerably more of your data and also merge this information.
- You see the consent manager several times on the same terminal device for the same website: The settings you make have to be saved in order to avoid being queried again on your second visit. We do not store this data centrally on our own servers, but - at the explicit request of the data protection authorities - in the browser of your terminal device (again in a cookie). When you return to our website, this enables us to recognise the settings you have made and not require you to give your consent a second time. The disadvantage of this particularly data protection-friendly storage is that it only works as long as the cookie is not deleted from your browser. The commonly used operating systems now recognise this special cookie without deleting it at regular intervals. However, it is always possible that you use a system that - in the particular interest of data protection - deletes the cookie by default. This would have the effect that we would not be able to recognise your settings the next time you visit our website and that you would therefore be asked to give your consent or make the settings again. In this case, please give us as much information as possible about the operating system, version, etc., and our technicians are certain to find a solution for you.
- We are working with new service providers or with old service providers on a changed legal basis. Our consent manager is not static. New service providers are added all the time or companies are bought, change their name, etc. So that your consent is also correct, you need to declare or reject your consent again in our consent manager each time there is a change, or decide whether you want to object. This is another advantage of our consent manager - it dynamically takes account of such changes. Otherwise, your consent would quickly become incomplete and we would run the risk of no longer acting in accordance with the law. In such cases, we therefore show you the consent manager again.
Revocation - where can I revoke a consent I have given? Where can I change my settings?
Under the tab “Privacy settings” in the footer of our website (next to the Privacy Policy) you can change your settings at any time.
What’s next?
The requirements for effective consent are complex. Therefore, we are proud to be able to offer you a solution that not only meets the legal requirements but can also implement many other - at first glance seemingly incompatible - demands from politics and data protection associations.
We are continuously reviewing the available solutions and important comments from our users and work hard to further improve our consent manager for you. We therefore hope that we can carry out the consent management to your satisfaction and convince you of the solution presented.